Re: Solaris 2.3 login

[peter () haywire DIALix oz au (Peter Wemm)]

richard oxbrow writes:
> You wrote to me about **Re: Solaris 2.3 login**:
> : well i had a bit of a hack around last night with 2.3 login. it seems you
> : can set enviroment variables with login such as
> : 
> : ..
> : this will quite hapilly core dump login. now i dont see a huge problem so
> : much from this unless of course someone has managed to compromise saf or
> : ttymon as well. *shrug* but when it is core dumped it is running as root
> : and it does leave a world writeable core in /. im not sure if this would
> : make it insecure as i havent had much experience in cracking systems, but
> : im sure there are some people out there that can do a fair amount of damage
> : given a world writable file owned by root. *shrug* will there be a patch?
> : 
>
> Run strings over the core - and see how much of /etc/shadow is in the
> core file. You could trying leaving a core file behind and chmod to 
> 0000 to stop other people from  reading the core file ( if you find bits
> of /etc/shadow in the core) ...  and cat /dev/null > /core to zero the
> file.
>
>     .richard                          

Since it seems to let you set ENV variables, has anybody thought about
LD_LIBRARY_PATH and friends?  I dont have access to a solaris system
to find out, but if it'll pass a bogus LD_LIBRARY_PATH to something
that login exec()'s, that might be bad.  Still, the damage may br
minimal, but it might be a good way to intercept accounts with no
password (eg: archie, help, type accounts...)

It might also be possible to get the login binary (while uid==0) to
load a bogus nsswitch library and/or other name-to-address translator
in /etc/netconfig if you tell login that you are running a newtork
login (-r, -h flags, etc).

I dont know.. Has anybody messed with this yet?

-Peter